Spotlight on Data Protection and E-Commerce Law for Hotels in China


All the questions

Data and hotel technology

Businesses operating in the hospitality industry are currently facing significant challenges in overhauling their data collection and processing systems, particularly as they adopt new technologies to help them with room reservations, check-in and check-out, and payments as is currently the trend. not just for luxury brands. In the normal course of business, hotels collect highly sensitive data such as guest identification numbers or passport numbers, medical health, and credit card details.

The entry into force of the EU General Data Protection Regulation (GDPR) – the basic EU data protection law – has not only changed the landscape of data privacy in Europe, but has also served as a global benchmark for privacy and data protection laws, shaping legislation around the world, including in China. China has taken significant steps to develop its data protection laws. The Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL) together form the troika of the regulatory framework related to data management in China (together like the Chinese data protection law). At the same time, data protection provisions are also scattered in different sectoral laws and regulations, including, for example, the Civil Code, criminal law, consumer rights law, telecommunications regulations, etc. Regarding enforcement, China also does not have an independent authority to enforce personal data protection provisions. Enforcement responsibilities are mainly shared by, among others, three government bodies, namely the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology and the Ministry of Public Security.

The CSL went into effect on June 1, 2017, along with a few other regulations and measures broadly regulating the collection, storage, transmission, and use of personal information by Critical Information Infrastructure Operators (CIIOs) and network operators, which hotels are very likely to be. . Prior to the adoption of the PIPL and in the absence of a dedicated law protecting personal information, the Recommended National Information Security Technology Standards – Personal Information Security Specification (GB/T 35273–2020 ) (the PI specification), has played an important role in providing guidance for compliance in the handling of personal information. The PI specification is also referred to as the Chinese GDPR, because the GDPR served as the main model when writing this set of national standards. This non-binding guideline contains detailed requirements on data processing and protection (i.e. excessive collection of users’ personal information, forced collection) and bulk authorization is not permitted. Chinese government authorities are known to enforce the PI specification as an important compliance measure coupled with burdensome data protection laws and regulations.

The long-awaited PIPL was officially adopted on August 20, 2021 and entered into force on November 1, 2021. The PIPL is an important milestone on China’s road to personal information protection. The PIPL not only echoes existing data protection provisions under the CSL, Civil Code and DSL, but also improves data protection by introducing new concepts and codifying best practices accumulated in domestically (e.g. PI specification) and overseas (e.g. EU GDPR) into law. Businesses operating in the hospitality sector are required to comply with PIPL data protection requirements, such as:

  1. follow the principles of legality, legitimacy, necessity and good faith, legitimate purpose and data minimization, transparency, accuracy, accountability, security and minimization of storage;
  2. rely on the appropriate legal basis for processing the data;
  3. where consent is required, ensuring compliance with consent standards, including being fully informed, freely and unambiguously given, and obtaining separate consent in specific circumstances stipulated in the PIPL;
  4. respect the rules for the transfer of personal data;
  5. Respond to data subject rights requests such as requests for access, correction, erasure, portability, objection and restriction, etc., as appropriate; and
  6. adopt accountability and data governance measures such as conducting a privacy impact assessment and maintaining records of processing, assessing the need for a data protection officer , response to data breach notification, etc.

One of the challenges that companies in the hospitality sector are facing or will face is the requirements for the transfer of personal data. Under the CSL, it is necessary to obtain informed consent from data subjects for the transfer or disclosure of their personal data to a third party, although detailed requirements as to the nature of the consent are lacking. However, consent to an overseas transfer of data may be implied by an individual’s actions, for example, when sending international emails or instant messages, when making international phone calls or when carrying out international transactions on the Internet in accordance with the draft guidelines for cross-border data transfer. Security assessment published by the National Technical Committee for Standardization of Information Security in May 2017. In addition, the measures for the security assessment of outbound data transfers recently published by the CAC, which will come into force on September 1, 2022, require network operators to obtain regulatory approval for transfers of personal data outside of China in several circumstances, including the outbound transfer of personal information by CIIOs.9 This burden is heavier than the self-assessment procedure foreseen by the previous draft in 2017 and would have significant implications for companies in the hospitality sector as network operators. However, regulatory approval (valid for two years from the date of publication of the assessment result) for repeated or continuous transfers of personal data to the same recipient would not be required, except in the case of a change in the type of data transferred, the purpose of the transfer or the authorized retention period. It should also be noted that the PIPL introduces a new framework for the transfer of personal information (i.e. the export of data can be achieved by entering into a standard contract (which must be formulated by the authority) with the recipients of the data , obtaining a data protection certification, etc.ten In addition to the above, the PIPL also provides that an information notice must be provided to the data subjects whose personal information will be transferred and that “separate consent” must be obtained from them.11

In light of these new regulations, the PIPL and other implementing rules to be published, companies are required to carefully review their IT structure, internal processes and internal data protection or privacy policies and develop new governance procedures or revise existing ones to protect customers. privacy rights. Chinese data protection law imposes an obligation on companies to promptly notify relevant authorities and affected individuals in the event that a data incident has occurred or is likely to occur, and to take action. immediate correctives. The proposed Cyber ​​Security Multi-Level Protection System (MLPS) Regulations require network operators to report cyber incidents to the local branch of the Ministry of Public Security within 24 hours. Additionally, under the National Cyber ​​Security Incident Contingency Plans in effect since January 2017, cyber incidents must be reported to the CAC Cyber ​​Security Coordination Office under several circumstances.

In terms of data security, the DSL, promulgated on June 10, 2021 and taking effect on September 1, 2021, is now adopted to further strengthen data security by establishing a fundamental and categorized data security system applying to the processing of data made on the territory of China. , and to entities and individuals located outside of China if their data processing activities harm national security, the public interest, and the legitimate interest of persons in China. Unlike the CSL, which contains provisions applicable to personal information and certain other data, the DSL simply focuses on “data” and has a broader application. Hospitality businesses should take active and timely steps to ensure that DSL applies to their data processing activities inside and outside of China, and assess data security measures that they have put in place.

For multinational companies operating in the hospitality sector or multinational companies doing business in China in general, it is necessary to know the China-specific add-on to its global data protection and compliance program. cybersecurity. This includes data location and security assessments, if applicable, prior to cross-border data transfer, personal information security impact assessments, and a multi-tiered protection system.

Hospitality was the third most targeted sector after retail and finance in an onslaught that left few corners of the sector untouched, according to a 2018 report by information security firm Trustwave Holdings. Hilton Worldwide Holdings Inc., Hyatt Hotels Corp. and InterContinental Hotels Group have all been targeted in past attacks, along with Trump Hotels, Radisson Hotel Group and Mandarin Oriental. The most recent investigation of a major industry player was Marriott International, which announced that it had taken a charge of US$126 million in the second quarter, mainly due to the data breach it had announced in 2018. Coincidentally, on July 9, 2019, the UK Information Commissioners Office, which enforces GDPR in the UK, announced its intention to impose a £99,200,396 fine on Marriott for its data breach. The stakes only go up. Hospitality companies are experimenting with voice-activated technology and internet-connected rooms, which could mean storing an increased amount of personal information, such as biometrics or what time guests go to bed. Although cost-conscious investors see more immediate returns from money spent on new carpeting rather than intangible safety measures, ignoring compliance with new regulations, especially in technology, can come at a very high cost. raised.


Comments are closed.